16.08.2010
23.35 The specific content of notification obligations to be imposed on agencies and organisations is discussed separately below. In general terms these address the fact, and purposes, of collection; usual disclosure practices; and an individual’s rights relating to his or her personal information.
23.36 An initial question that arises, however, is in what circumstances should an agency or organisation be required to notify individuals or otherwise ensure that they are aware of particular matters relating to the collection and handling of their personal information? A consideration of this issue also involves an assessment of whether:
there need to be exceptions to the circumstances in which the obligations will ordinarily be assumed to arise; and
an obligation to notify should be imposed on agencies and organisations when they collect personal information from someone other than the individual concerned.
23.37 Each of these issues is considered below.
Reasonable steps
Background
23.38 Currently, when an organisation collects personal information, either from the individual concerned or a third party, it is required to take ‘reasonable steps’ to ensure that the individual from whom the organisation collects the information is aware of certain specified matters.[35] There is some uncertainty over what is meant by the term ‘reasonable steps’ and, especially, whether an organisation legitimately may conclude that, in certain circumstances, it would be reasonable to take no steps.
23.39 For example, the OPC review of the private sector provisions of the Privacy Act 1988 (OPC Review) stated that it would be reasonable to take no steps to provide notice where significant cost or difficulty is involved in contacting a third party whose information has been collected incidentally, or in many circumstances where the information is collected from a public source.[36] The OPC Review recommended that the legislation be amended to make it clear that that there are situations in which the reasonable steps an organisation might take to provide notice to an individual may equate to no steps.[37]
23.40 The OPC’s guidance on the meaning of ‘reasonable step’ provides, in part, as follows:
Where the circumstances of collection make a matter listed in NPP 1.3 obvious, the ‘reasonable steps’ might not involve any active measures because the circumstances speak for themselves. For example, in many cases, the identity of the organisation collecting the personal information could be obvious from the circumstances. It may be less obvious on the Internet and when other electronic technologies are used …
Deciding what are reasonable steps involves balancing a number of possible factors, including the importance to the individual of having the relevant knowledge and the cost to the organisation in providing that information.[38]
23.41 Currently, the corresponding obligation imposed on agencies is to ‘take such steps (if any) as are, in the circumstances, reasonable to ensure that’ the individual concerned is generally aware of specified matters.[39] It is clear, therefore, that in respect of the obligations imposed on agencies it might be reasonable to take no steps to provide notice.[40] The privacy legislation of New Zealand also frames the relevant obligation in this way,[41] but sets out expressly a number of circumstances in which an agency is not required to take any such steps. These circumstances include, for example:
if the agency, on a recent previous occasion, has taken those steps in relation to the collection of personal information from an individual, involving notification of the ‘same information or information of the same kind’;
if the agency believes, on reasonable grounds that:
– non-compliance would not prejudice the interests of the individual concerned;
– non-compliance is necessary for law enforcement purposes;
– non-compliance is authorised by the individual concerned; or
– compliance would prejudice the purposes of the collection; and
either the information will:
– not be used in a form in which the individual concerned is identified; or
– will be used for statistical or research purposes and will not be published in a form that could reasonably be expected to identify the individual concerned.[42]
Submissions and consultations
23.42 In IP 31, the ALRC asked whether the Privacy Act should be amended to clarify that there may be circumstances in which it is reasonable for organisations to take no steps to ensure that an individual is aware of specified matters relating to the collection of personal information.[43]
23.43 A large number of stakeholders supported such an amendment.[44] Some stakeholders provided examples of circumstances in which it would be reasonable for an organisation to take no steps to notify an individual. These included the following:
where an organisation receives information from a related body corporate, especially if the individual would reasonably expect the information to be shared in this way;[45]
where an insurer collects information about the medical history of family members of an individual client;[46]
where notifying an individual that information about the individual has been collected as part of an alternative dispute resolution scheme may put at risk the safety of third parties;[47]
in the context of ‘family, social or medical history-taking’;[48] and
in the course of an investigation into possible wrongdoing.[49]
23.44 Some stakeholders, however, submitted that no amendment was needed to the ‘reasonable steps’ requirement. The Australian Privacy Foundation submitted that an amendment which clarified that taking no steps could be reasonable ‘would invite self serving interpretation to avoid giving notice even where it was both reasonable and practicable’.[50] DLA Phillips Fox submitted that NPP 1.3 already sets out ‘an objective test of what is reasonable in the circumstances’.[51]
23.45 Telstra suggested that the OPC should issue detailed guidelines on what steps are required to provide notification in various circumstances.[52] The Law Council of Australia submitted that, if a person relies on advice from the OPC that no steps are required, then this should be a full defence if a complaint is later made about the person.[53]
23.46 In DP 72, the ALRC proposed that the OPC provide guidance on the meaning of the term ‘reasonable steps’ in this context.[54] This proposal was generally supported.[55] Medicare Australia stated that the guidance should make it clear that there are circumstances in which it could be reasonable for no steps to be taken.[56] Some stakeholders that supported the proposal also expressed support for legislative clarification. For example:
The OPC submitted that the words ‘if any’ should be added after ‘reasonable steps’, to make it clear that the taking of no steps could be reasonable.[57]
The Australian Privacy Foundation submitted that ‘far more of the detail of what the requirements mean in practice should be incorporated in the principle itself, leaving less to be covered in guidance’.[58]
The National Health and Medical Research Council (NHMRC) submitted that the new Privacy (Health Information) Regulations should provide that individuals need not be notified when personal information is collected in confidence. It also submitted that the new regulations or the proposed guidance should specify that it would be reasonable to take no steps to notify an individual about the collection of his or her personal information, where the information was collected in the context of taking a family, medical or social history, or in relation to quality assurance and approved research activities.[59]
23.47 PIAC, however, expressed the view that, while guidance on the meaning of ‘reasonable steps’ in the context of the notification requirements is necessary, it is preferable for such guidance to be included in the Privacy Act, regulations or in binding codes.[60]
ALRC’s view
23.48 The Privacy Act should make it clear that there may be circumstances where it will be reasonable for an agency or organisation to take no steps to notify or otherwise ensure that an individual is aware of specified matters resulting from the collection of his or her personal information. The ‘Notification’ principle, therefore, should provide expressly that an agency or organisation is obliged to take ‘such steps, if any, as are reasonable in the circumstances’ to notify or otherwise ensure that an individual is aware of specified matters. Such an approach is consistent with that currently adopted in the IPPs and the privacy legislation of New Zealand.
23.49 Providing legislative clarification in this regard is essential to address the confusion caused by the fact that use of the phrase ‘must take reasonable steps’ in NPP 1 appears to imply that some active steps must be taken by an organisation when collecting personal information. This is despite the fact that, in certain circumstances, logic dictates that it would be reasonable for no steps to be taken.
23.50 In addition to legislative clarification, the OPC should develop and publish guidance to assist agencies and organisations in complying with the ‘Notification’ principle. The guidance should address specific circumstances when it would be reasonable for no steps to be taken to notify individuals about the collection of their personal information. In this regard, the guidance should address areas identified by stakeholders as needing clarification,[61] as well as areas currently recognised in other jurisdictions as properly being excluded from the ambit of the obligation to take reasonable steps. The guidance should address, therefore, circumstances when:
notification would prejudice the purpose of collection, for example, when it would prejudice:
– the prevention, detection, investigation and prosecution of offences, breaches of a law imposing a penalty or seriously improper conduct;
– the enforcement of laws; or
– the protection of the public revenue;
collection of personal information is required or authorised by or under law for statistical or research purposes;
the personal information is collected from an individual on repeated occasions;
an individual has been made aware of the relevant matters by the agency or organisation which disclosed the information to the collecting agency or organisation;
non-compliance with the principle is authorised by the individual concerned;
non-compliance with the principle is required or authorised by or under law;
notification would pose a serious threat to the life or health of any individual; and
health services collect family, social or medical histories.[62]
Should there be exceptions or other qualifications to the principle?
Background
23.51 The ALRC examined whether the ‘Notification’ principle should set out the circumstances in which an agency or organisation will not be required to comply.
23.52 Currently, the IPPs do not provide for any exceptions to the notification requirements as they apply to the collection of personal information by agencies. Similarly, the NPPs do not provide for any exceptions to the notification requirements as they apply to the collection of personal information by organisations directly from the individual concerned. The NPPs do provide, however, that where an organisation collects personal information about an individual from someone another than the individual concerned, the notification requirements apply ‘except to the extent that making the individual aware of the matters would pose a serious threat to the life or health of any individual’.[63]
23.53 As noted above, the privacy legislation of New Zealand sets out a number of exceptions to the notification requirements within the body of the principle dealing with collection of personal information.
23.54 In DP 72, the ALRC proposed a number of exceptions to the ‘Notification’ principle. In addition, stakeholders made submissions about the creation of other exceptions. These are addressed separately below.
Submissions and consultations
Required or specifically authorised by or under law
23.55 In DP 72, the ALRC proposed that agencies that collect personal information—whether directly from an individual or from someone other than the individual—should not be required to comply with the notification requirements if they are required or specifically authorised by or under law not to make the individual aware of one or more of the matters to be notified.[64]
23.56 Many stakeholders supported the proposal.[65] Some submitted that the application of the proposed exception should be extended to cover organisations, in addition to agencies.[66] Other stakeholders opposed the proposal.[67] The OPC, for example, submitted that such an exception would be unnecessary if the principle stipulates expressly that it might be reasonable to take no steps to comply. It stated that such an approach would provide adequately for circumstances ‘where notification would be counter to the functions of an agency’.[68]
23.57 A number of stakeholders submitted that the exception is insufficient in itself to enable agencies to exercise their functions. These stakeholders submitted that ‘other public interest’ exceptions to the principle are required to:
enable agencies involved in law enforcement, intelligence, investigations or complaint handling to perform properly all of their functions;[69]
prevent an impediment, or prejudice, to an investigation;[70]
allow investigations into collection of revenue that an agency is authorised to collect and recover, such as child support payments;[71] and
protect the public revenue.[72]
23.58 A number of stakeholders expressed concern about the proposed requirement that an agency be ‘specifically authorised’ by or under law not to make the individual aware of certain matters.[73] Stakeholders noted the absence of laws that specifically authorise non-compliance with the matters proposed to be the subject of the notification requirements.[74]
23.59 Medicare Australia submitted that such a requirement ‘could have implications for the effective administration of government programs, especially our compliance and investigation functions’.[75] The Australian Federal Police (AFP) stated that:
The use of the word ‘specifically’ assumes that all the powers and functions of an agency will always be set out expressly in the legislation. However, practical experience demonstrates that the legislation does not always address every issue and it is sometimes necessary to determine what is required by necessary implication as well as by what is expressed.[76]
Reasonable expectations
23.60 In DP 72, the ALRC proposed that agencies and organisations that collect personal information—whether directly from an individual or from someone other than the individual—should be required to comply with the notification requirements only in circumstances where a reasonable person would expect to be notified.[77]
23.61 Some stakeholders expressed concerns about this proposed qualification on the basis that it is unnecessary and would lower privacy protections by introducing an additional ‘reasonableness’ test.[78] For example, the OPC expressed concern that
the introduction of the proposed ‘reasonable person test’ establishes a threshold test for agencies and organisations to determine whether they are under an obligation to provide specific notification. Only once they have determined that the notification requirements are applicable to the circumstances, do they then need to consider what might constitute ‘reasonable steps’. As such, the Office is concerned that [it] effectively establishes a mechanism by which agencies and organisations can exclude themselves from their notification obligations entirely.[79]
23.62 Other stakeholders raised concerns about the practicalities of applying a ‘reasonable person’ test. In particular:
The Department of Agriculture, Fisheries and Forestry stated that it was likely to be unclear when a ‘reasonable person’ would expect to be notified.[80]
The Australian Taxation Office (ATO) expressed the view that the application of a reasonable person test could be problematic in circumstances where it receives anonymous information about taxpayers. While such information is important, for example, in the identification of potential tax avoidance schemes, the ATO noted that a ‘reasonable person’ might expect to be notified of the receipt of such information in order to rebut its content or implications.[81]
23.63 The Australian Privacy Foundation submitted that the qualification should be redrafted to make it a subjective, rather than objective, test. It suggested that an agency or organisation should comply with the notification requirements unless ‘it reasonably believes that there is a reasonable expectation on the part of individuals that they not be notified’.[82]
Threat to individual’s health and life
23.64 In DP 72, the ALRC proposed that agencies and organisations that collect personal information—whether directly from an individual or from someone other than the individual—should be required to comply with the notification requirements except to the extent that making the individual aware of the specified matters would pose a serious threat to the life or health of any individual.[83]
23.65 This proposal received strong support from two stakeholders.[84] Other stakeholders, however, opposed the exception on various grounds. These included that the exception would be addressed adequately by making it clear in the ‘Notification’ principle that there might be circumstances where it would be reasonable to take no steps to comply.[85] Further, stakeholders noted that such an exception does not currently apply to the collection of personal information directly from the individuals to whom the information relates. They questioned the policy basis for extending the application of the exception to direct collection.[86] For example, the Australian Privacy Foundation submitted:
Given that in the direct collection situation the individual will be aware that information is being collected, it seems unlikely that informing them of the [matters to be notified] could cause any additional harm.[87]
23.66 The Department of Foreign Affairs and Trade submitted that this exception should be expanded to include threats to an individual’s safety, public health and public safety.[88]
Research and statistics
23.67 The ALRC did not propose in DP 72 that there be an exception to the notification requirement where information is collected for statistical purposes or research. The Australian Bureau of Statistics (ABS) submitted that such an exception is necessary. It stated:
The ABS … collects information in relation to individuals other than from the individuals themselves. This can be seen, for example, in the Census, where one person in a household may complete the form for the entire household, or the Longitudinal Study of Australian Children … where information in relation to one parent may be provided by the other parent …
[A] requirement to advise the individual concerned when information about them is collected from another person could place an overwhelming administrative burden on the ABS.[89]
23.68 The ABS submitted that there should be an exception similar to that in the privacy legislation of New Zealand. That is, the exception should cover information that will:
not be used in a form in which the individual concerned is identified; or
be used for statistical or research purposes and will not be published in a form that could reasonably be expected to identify the individual concerned.[90]
ALRC’s view
23.69 The qualification that an agency or organisation need only take such steps, if any, as are reasonable in the circumstances is significant. It enables the ‘Notification’ principle to be sufficiently high-level and flexible to be applied in a wide variety of circumstances, including those in which notifying an individual of specific matters relating to the collection of his or her personal information would not be reasonable.
23.70 It would be inconsistent with the adoption of high-level principles to introduce detailed and prescriptive rules concerning the application of this requirement. It is inappropriate even to make provision for a very limited number of exceptions to the principle. Such an approach creates a legitimate expectation that other valid circumstances also will be made the subject of an exception. This is likely to result in a proliferation of legislative exceptions, fundamentally at odds with a principles-based approach.[91]
23.71 Rather, as noted above, and consistent with the approach taken with respect to the ‘Collection’ principle, the OPC should develop and publish focused guidance, which addresses the types of circumstances in which it may be reasonable for an agency or organisation to take no steps to notify individuals about the collection of their personal information. Circumstances identified by stakeholders include where:
notification would prejudice the purposes of collection, for example in the context of law enforcement; and
the collection of personal information is required or authorised by or under law for statistical or research purposes.
23.72 The guidance should address circumstances in which not taking any steps to notify individuals about the collection of their personal information is authorised or required by or under law. The ALRC agrees that references to ‘specific’ authorisations by or under law are unhelpful because of the absence of laws that specifically authorise agencies and organisations not to take any steps to notify individuals about the matters recommended to be the subject of the notification requirements.[92]
23.73 The guidance also should address where notification would pose a threat to an individual’s health or safety. Such scenarios are more likely to arise where personal information is collected from third parties, rather than directly from the individual concerned.
23.74 It is also unnecessary and undesirable to qualify the notification requirements by providing that they arise only where a reasonable person would expect to be notified. It is sufficient that the principle provides that agencies and organisations are to take such steps, if any, as are reasonable in the circumstances. To add another test of reasonableness is confusing, and may also have the undesirable consequence of lowering privacy protections.
Collection of personal information from a third party
Background
23.75 The ALRC examined whether agencies and organisations should be required to comply with notification obligations regardless of whether they collect personal information directly from the individual concerned or from someone other than the individual.
23.76 Currently, agencies are obliged to ensure that individuals are aware of specified matters relating to the collection of their personal information only where they solicit the information from the individual concerned.[93]
23.77 In contrast, organisations are under an obligation to ensure individuals are aware of specified matters relating to the collection of their personal information, regardless of whether information is collected directly from the individual or from someone other than the individual.[94]
23.78 OPC guidance provides that the steps that an organisation would need to take to make an individual aware of relevant matters when it does not collect directly from the individual concerned ‘will depend on the circumstances’.[95]
23.79 One of the circumstances in which personal information is collected from third parties is in the context of the provision of health services. In this regard the Privacy Commissioner has issued Public Interest Determinations (PIDs), which allow health service providers to collect the personal information of third parties, without their consent, where it is relevant to a health consumer’s family, social or medical history.[96] The determinations do not exempt health service providers from notifying third parties of such collection. The Privacy Commissioner has stated, however, that an exemption is not necessary because the obligation imposed on organisations is to be interpreted as meaning that, in some circumstances, no steps need to be taken to notify an individual of the collection of his or her personal information.[97] Further, the OPC Review stated:
The collection of family, social and medical history information is a critical part of providing assessment, diagnosis and treatment to individuals. The Commissioner acknowledged that obtaining the consent of third parties to collect their information, and notifying those individuals about these collections, would be impractical, inefficient and detrimental to the provision of quality health outcomes.[98]
Submissions and consultations
23.80 In response to IP 31, a number of stakeholders submitted that agencies and organisations should be required to notify individuals of the collection of personal information regardless of the source of personal information.[99] It was noted that the contrary position would create ‘a risk that the intention of ensuring individuals were aware who was collecting their information and its use could be circumvented by using third party information providers’.[100]
23.81 In DP 72, the ALRC proposed that the obligation on agencies and organisations to ensure that an individual is aware of specified matters relating to the collection of personal information, should apply to circumstances where the information is collected from someone other than the individual concerned.[101]
23.82 There was support for this general approach.[102] For example, Carers Australia stated that the proposed approach is important for carers because personal information is sometimes collected without their knowledge in the course of providing a service to a person with a disability, illness or injury. It stated that:
The Specific Notification Principle will allow carers to access and, if necessary, correct information held about themselves. As noted, such a measure promotes fairness, transparency and accuracy.
Whilst generally welcome, this measure is particularly useful as a safeguard against malicious and/or vexatious claims of abuse, neglect or exploitation allegedly perpetrated by the carer.[103]
23.83 A number of agencies expressed concerns, however, about the administrative burden and ‘prohibitive’ cost that would be imposed by requirements relating to notification in circumstances where an agency collects personal information from someone other than the individual.[104] The ABS, for example, expressed concerns relating to the collection of personal information from third parties for statistical purposes.[105] The Department of Foreign Affairs and Trade stated that the proposal was problematic in the context of collecting personal information from third parties for the purpose of passport applications. It stated:
Most of the 1.4 million passport applications that are lodged each year require an applicant to provide information relating to a third party, such as details of parentage and spouse of the non-lodging parent on a child’s application, or guarantor details used to identify applicants. In such cases it would be prohibitively expensive and administratively challenging to advise these third parties of the information required under UPP 3.1.[106]
23.84 The Queensland Government submitted that notification obligations should arise only where an agency solicits personal information.[107] The Department of Defence expressed concern that the proposal could impact adversely on the process of vetting security clearances.[108]
23.85 Some tribunals noted that the proposed extension of the obligations in the IPPs to personal information collected from a third party appeared to be inconsistent with their adjudicative functions.[109]
23.86 Many stakeholders expressed concern about the proposed subject matter of the obligation—in particular, the proposal that an agency or organisation be required to inform an individual of the fact of collection and, on request, the source of personal information. These concerns are addressed separately below.[110]
23.87 In DP 72, the ALRC also proposed that the OPC should provide guidance on the circumstances in which it is necessary for an agency or organisation to notify an individual when it has received personal information about the individual from a source other than the individual concerned.[111]
23.88 This proposal received general support.[112] Medicare Australia, for example, expressed the view that OPC guidance would need to be tailored to cover specific sectors, and possibly even specific agencies.[113]
23.89 The NHMRC submitted that the guidance or the Privacy (Health Information) Regulations should specify that, in the context of taking a family, medical or social history or undertaking approved research activities, it would be reasonable to take no steps to notify the individual to whom the information relates that the information has been collected.[114]
ALRC’s view
23.90 Agencies and organisations should be subject to an obligation to notify or otherwise ensure an individual’s awareness of specified matters relating to the collection of his or her personal information, regardless of whether that information is collected directly from the individual or from someone other than the individual. Such an obligation is already incumbent on organisations.
23.91 The extension of the scope of the obligation as it applies to agencies will require agencies to consider the circumstances in which the obligations arise. They also will need to assess whether it will be reasonable, in exercising any of their functions, not to take any steps to notify individuals about the collection of their personal information. Again, the qualification that an agency or organisation need only take such steps, if any, as are reasonable in the circumstances is significant. The principle is worded at a sufficiently high level. It is flexible enough to cater for the wide range of circumstances in which agencies and organisations collect personal information from third parties.
23.92 Further, guidance to be developed and published by the OPC to assist agencies and organisations to comply with the ‘Notification’ principle should address specific circumstances where it would not be reasonable to provide notification where personal information has been collected from a third party. As mentioned above, such circumstances include, where:
the collection of personal information is required or authorised by or under law for statistical or research purposes;
notification would pose a serious risk to the life or health of any individual; or
health services collect family, social or medical histories.
23.93 As discussed in detail below, an agency or organisation that collects personal information from a third party should not be required to inform the individual concerned about the source of the information. This approach is likely to alleviate significantly the concerns expressed about the cost and administrative burden imposed by the notification requirements in the context of indirect collection of personal information.
23.94 Concerns expressed by tribunals about the impact of this requirement on their adjudicative functions are addressed by the ALRC’s recommendation to exempt partially tribunals from the operation of the Privacy Act.[115]
[35] See Privacy Act 1988 (Cth) sch 3, NPP 1.3, 1.5.
[36] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 260.
[37] Ibid, rec 75. Professor Roger Clarke has expressed a similar view: R Clarke, ‘Serious Flaws in the National Privacy Principles’ (1998) 4 Privacy Law & Policy Reporter 176, 179.
[38] Office of the Federal Privacy Commissioner, Guidelines to the National Privacy Principles (2001), 28–29.
[39]Privacy Act 1988 (Cth) s 14, IPP 2.
[40] The OPC’s guidance on IPP 2 provides expressly that ‘an agency does not have to give details if giving the details would defeat the purpose of collecting the personal information’: Office of the Federal Privacy Commissioner, Plain English Guidelines to Information Privacy Principles 1–3: Advice to Agencies about Collecting Personal Information (1994), 15.
[41]Privacy Act 1993 (NZ) s 6, Principle 3(1).
[42] See Ibid s 6, Principle 3(3)–(4).
[43] Australian Law Reform Commission, Review of Privacy, IP 31 (2006), Question 4–2.
[44] See, eg, Australian Bankers’ Association Inc, Submission PR 259, 19 March 2007; Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; ANZ, Submission PR 173, 6 February 2007; Centre for Law and Genetics, Submission PR 127, 16 January 2007; Investment and Financial Services Association, Submission PR 122, 15 January 2007; National Health and Medical Research Council, Submission PR 114, 15 January 2007; Office of the Information Commissioner (Northern Territory), Submission PR 103, 15 January 2007; Institute of Mercantile Agents, Submission PR 101, 15 January 2007; Joint submission by Industry Based Alternative Dispute Resolution Schemes, Submission PR 93, 15 January 2007.
[45] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007. A similar example given is where personal information is disclosed to a contracted service provider: Law Council of Australia, Submission PR 177, 8 February 2007.
[46] AXA, Submission PR 119, 15 January 2007.
[47] Joint submission by Industry Based Alternative Dispute Resolution Schemes, Submission PR 93, 15 January 2007. See also National Australia Bank and MLC Ltd, Submission PR 148, 29 January 2007.
[48] National Health and Medical Research Council, Submission PR 114, 15 January 2007. See also the more detailed discussion of this issue in Part H.
[49] Office of the Information Commissioner (Northern Territory), Submission PR 103, 15 January 2007.
[50] Australian Privacy Foundation, Submission PR 167, 2 February 2007.
[51] DLA Phillips Fox, Submission PR 111, 15 January 2007.
[52] Telstra, Submission PR 185, 9 February 2007.
[53] Law Council of Australia, Submission PR 177, 8 February 2007.
[54] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 20–7.
[55] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Australian Government Centrelink, Submission PR 555, 21 December 2007; Australian Federal Police, Submission PR 545, 24 December 2007; Australian Government Department of Human Services, Submission PR 541, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Optus, Submission PR 532, 21 December 2007; Centre for Law and Genetics, Submission PR 497, 20 December 2007; Recruitment and Consulting Services Association Australia & New Zealand, Submission PR 353, 30 November 2007. One stakeholder stated that guidance, jointly produced by state and territory privacy commissioners, would be useful: Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.
[56] Medicare Australia, Submission PR 534, 21 December 2007.
[57] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007. Another stakeholder also submitted that it should be made clear that ‘there are circumstances in which no notification is required to be given’: GE Money Australia, Submission PR 537, 21 December 2007.
[58] Australian Privacy Foundation, Submission PR 553, 2 January 2008.
[59] National Health and Medical Research Council, Submission PR 397, 7 December 2007.
[60] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.
[61] Many of the views expressed by stakeholders about areas requiring clarification are set out below, particularly in discussions which consider the issue of exceptions to the ‘Notification’ principle.
[62] This is considered further below in the discussion about collection of personal information from third parties.
[63]Privacy Act 1988 (Cth) sch 3, NPP 1.5.
[64] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposals 20–4, 20–5(b)(iii).
[65] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Australian Government Department of Agriculture‚ Fisheries and Forestry, Submission PR 556, 7 January 2008; Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; GE Money Australia, Submission PR 537, 21 December 2007; Optus, Submission PR 532, 21 December 2007; Centre for Law and Genetics, Submission PR 497, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007; Recruitment and Consulting Services Association Australia & New Zealand, Submission PR 353, 30 November 2007.
[66] Australian Privacy Foundation, Submission PR 553, 2 January 2008; GE Money Australia, Submission PR 537, 21 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Australian Finance Conference, Submission PR 398, 7 December 2007.
[67] Suncorp-Metway Ltd, Submission PR 525, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.
[68] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.
[69] Australian Federal Police, Submission PR 545, 24 December 2007; Human Rights and Equal Opportunity Commission, Submission PR 500, 20 December 2007; Confidential, Submission PR 448, 11 December 2007. The Queensland Government stated that ‘it would be counter-productive to require … notice to be given where the information was legitimately collected as part of law enforcement activities without the individual being aware’: Queensland Government, Submission PR 490, 19 December 2007.
[70] Australian Government Centrelink, Submission PR 555, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007.
[71] Australian Government Department of Human Services, Submission PR 541, 21 December 2007
[72] Australian Government Centrelink, Submission PR 555, 21 December 2007.
[73] Australian Federal Police, Submission PR 545, 24 December 2007; Medicare Australia, Submission PR 534, 21 December 2007.
[74] Confidential, Submission PR 488, 19 December 2007; Confidential, Submission PR 448, 11 December 2007.
[75] Medicare Australia, Submission PR 534, 21 December 2007.
[76] Australian Federal Police, Submission PR 545, 24 December 2007.
[77] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposals 20–2(1); 20–5(b)(i).
[78] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.
[79] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.
[80] Australian Government Department of Agriculture‚ Fisheries and Forestry, Submission PR 556, 7 January 2008.
[81] Australian Taxation Office, Submission PR 515, 21 December 2007.
[82] Australian Privacy Foundation, Submission PR 553, 2 January 2008. Another stakeholder expressed a similar view: Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.
[83] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposals 20–2(2); 20–5(b)(ii).
[84] Cancer Council Australia and Clinical Oncological Society of Australia, Submission PR 544, 23 December 2007.
[85] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.
[86] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.
[87] Australian Privacy Foundation, Submission PR 553, 2 January 2008.
[88] Australian Government Department of Foreign Affairs and Trade, Submission PR 563, 24 January 2008.
[89] Australian Bureau of Statistics, Submission PR 383, 6 December 2007.
[90] Ibid.
[91] See Ch 4.
[92] See also Ch 16.
[93]Privacy Act 1988 (Cth) s 14, IPP 2.
[94] Ibid sch 3, NPP 1.3, 1.5.
[95] Office of the Federal Privacy Commissioner, Guidelines to the National Privacy Principles (2001), 32.
[96] See Privacy Commissioner, Public Interest Determination 10, effective 11 December 2007; Privacy Commissioner, Public Interest Determination 10A, effective 11 December 2007. These replaced PIDs 9 and 9A, and are discussed in Ch 63.
[97] Privacy Commissioner, Public Interest Determination 10A, effective 11 December 2007, 9.
[98] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 274.
[99] See, eg, Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007; Australian Privacy Foundation, Submission PR 167, 2 February 2007; Centre for Law and Genetics, Submission PR 127, 16 January 2007; DLA Phillips Fox, Submission PR 111, 15 January 2007; Office of the Information Commissioner (Northern Territory), Submission PR 103, 15 January 2007; I Turnbull, Submission PR 82, 12 January 2007.
[100] DLA Phillips Fox, Submission PR 111, 15 January 2007.
[101] See Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 20–5.
[102] See, eg, Optus, Submission PR 532, 21 December 2007; Centre for Law and Genetics, Submission PR 497, 20 December 2007; Carers Australia, Submission PR 423, 7 December 2007; Recruitment and Consulting Services Association Australia & New Zealand, Submission PR 353, 30 November 2007. See also Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007. The Australian Direct Marketing Association stated that it ‘did not disagree’ with this proposal: Australian Direct Marketing Association, Submission PR 543, 21 December 2007.
[103] Carers Australia, Submission PR 423, 7 December 2007.
[104] See, eg, Australian Government Department of Foreign Affairs and Trade, Submission PR 563, 24 January 2008; Australian Government Department of Families‚ Housing‚ Community Services and Indigenous Affairs, Submission PR 559, 15 January 2008; Australian Government Department of Agriculture‚ Fisheries and Forestry, Submission PR 556, 7 January 2008; Australian Government Centrelink, Submission PR 555, 21 December 2007; Australian Bureau of Statistics, Submission PR 383, 6 December 2007.
[105] Australian Bureau of Statistics, Submission PR 383, 6 December 2007.
[106] Australian Government Department of Foreign Affairs and Trade, Submission PR 563, 24 January 2008.
[107] Queensland Government, Submission PR 490, 19 December 2007.
[108] Australian Government Department of Defence, Submission PR 440, 10 December 2007.
[109] Migration Review Tribunal and Refugee Review Tribunal, Submission PR 533, 21 December 2007.
[110] See discussion on subject matter of notification.
[111] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 20–6.
[112] Government of South Australia, Submission PR 565, 29 January 2008; Australian Privacy Foundation, Submission PR 553, 2 January 2008; Australian Federal Police, Submission PR 545, 24 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; National Legal Aid, Submission PR 521, 21 December 2007; Australian Collectors Association, Submission PR 505, 20 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Centre for Law and Genetics, Submission PR 497, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; Carers Australia, Submission PR 423, 7 December 2007; Recruitment and Consulting Services Association Australia & New Zealand, Submission PR 353, 30 November 2007. Suncorp Metway Ltd opposed the proposal: Suncorp-Metway Ltd, Submission PR 525, 21 December 2007.
[113] Medicare Australia, Submission PR 534, 21 December 2007.
[114] National Health and Medical Research Council, Submission PR 397, 7 December 2007.
[115] See Rec 35–2.